###############################################################################
#
#                           CSIv2 Properties File
#
#  This file contains properties that are used by the CSIv2 component 
#  of the WebSphere Application Server product.  CSIv2 executes on 
#  WebSphere java servers and client systems with java applications that 
#  access WebSphere servers over the IIOP protocol.
#
#  ** CSIv2 Trace Instructions **
#
#  Note:  To enable logging of trace on the application client, add the 
#  following property to the startup script: -DtraceSettingsFile=filename.
#  Do not specify filename as a fully qualified path and filename, just
#  specify the filename.  The file must exist in the classpath to be loaded. 
#  A sample file is provided in <was_root>/properties/TraceSettings.properties.
#
#  There are two related functions provided by this file: 
#
#    1.traceFileName property
#      This should be set to the fully qualified name of a file to which you want
#      output written. For example, traceFileName=c:\\MyTraceFile.log. This
#      property must be specified, otherwise no visible output is generated. 
#    2.Trace string
#      To enable CSIv2 trace, specify the trace string: SASRas=all=enabled
#
#  If you only want to trace specific classes, you can specify a trace filter by
#  adding the property com.ibm.CORBA.securityTraceFilter=<comma-separated class names>
#
#  Example:  com.ibm.CORBA.securityTraceFilter=SecurityConnectionInterceptor, CSIClientRI, SessionManager
#
#  ** Encoding Passwords in this File **
#
#  The PropFilePasswordEncoder utility may be used to encode passwords in a
#  properties file. To edit an encoded password, replace the whole password
#  string (including the encoding tag {...}) with the new password and then
#  encode the password with the PropFilePasswordEncoder utility. Refer to
#  product documentation for additional information.
#
#  Note:  The old SAS protocol has been removed.   Only CSIv2 is supported in
#         this release.
#
#  Note:  Kerberos is not supported for AdminClient. A copy of the file needs to be created
#         for use with the pure java client.
#
###############################################################################

#------------------------------------------------------------------------------
# Client Security Enablement
#
# - security enabled status  ( false, true [default] )
#------------------------------------------------------------------------------
com.ibm.CORBA.securityEnabled=true

#------------------------------------------------------------------------------
# Authentication Configuration
#
# - authenticationTarget       (BasicAuth [default], KRB5. These are the only supported selection
#                               on a pure client for this release.  This is for message
#                               layer authentication only, SSL client certificate authentication
#                               is configured below under CSIv2 configuration.)
# - authenticationRetryEnabled (enables authentication retries if login fails when 
#                               loginSource=prompt or stdin)
# - authenticationRetryCount   (the number of times to retry)
# - source                     (when authenticationTarget=BasicAuth, the source supported are 
#                               prompt [default], properties, stdin, none.
#                               when authenticationTarget=KRB5, the source supported are 
#                               prompt [default], properties, stdin, none,
#                               krb5Ccache, krb5Ccache:prompt, krb5Ccache:properties,
#                               krb5Ccache:stdin) 
# - krb5ConfigFile             (This optional property can be set to specify a location of the 
#                               Kerberos configuration file as an URL. If the krb5ConfigFile
#                               not specify, then the default Kerberos configuration file will be used.) 
# - krb5CcacheFile             (authenticationTarget=KRB5 and source=krb5Ccache*, this
#                               optional property can be set to specify a location of the 
#                               Kerberos credential cache as an URL. If the krb5CcacheFile
#                               not specify, then the default ccache will be used.) 
# - timeout                    (prompt timeout, specified in seconds, 0 min to 600 max [default 300])
# - validateBasicAuth          (determines if immediate authentication after uid/pw login, 
#                               or wait for method request to send uid/pw to server, 
#                               setting this to false gives the previous release behavior.)
# - securityServerHost         (when validateBasicAuth=true, this property might need to be set
#                               in order for security code to lookup SecurityServer.  Needs to be set to
#                               any running WebSphere server host in the cell you are authenticating to.
# - securityServerPort         (when validateBasicAuth=true, this property might need to be set
#                               in order for security code to lookup SecurityServer.  Needs to be set to
#                               the bootstrap port of the host chosen above.
# - loginUserid                (must be set if login source is "properties". If the client is communicating
#                               with multple realms - see loginRealm description below for more information -
#                               multiple values can be entered using the pipe "|" separator.
#                               Example: user1|user2|user3. The number of entries here should match the ones
#                               in -loginPasword and -loginRealm entries. )
# - loginPassword              (must be set if login source is "properties". If the client is communicating 
#                               with multple realms - see loginRealm description below for more information - 
#                               multiple values can be entered using the pipe "|" separator.
#                               Example: user1Password|user2Password|user3Password. The number of entries here 
#                               should match the ones in -loginUserid and -loginRealm entries. )
# - loginRealm                 (must be set if login source is "properties". If the client is communicating 
#                               with multiple realms (different user registries)enter the realm names here.  
#                               multiple values can be entered using the pipe "|" separator.
#                               Example: user1Realm|user2Realm|user3Realm. The number of entries here 
#                               should match the ones in -loginUserid and -loginPassword entries
#                               Make sure that the line is uncommented. )
# - principalName              (format: "realm/userid", only needed in cases where realm 
#                               is required. Typically the realm is already provided by the
#                               server via the IOR and this property is not necessary).
#
#------------------------------------------------------------------------------
com.ibm.CORBA.authenticationTarget=BasicAuth
com.ibm.CORBA.authenticationRetryEnabled=true
com.ibm.CORBA.authenticationRetryCount=3
com.ibm.CORBA.validateBasicAuth=true
com.ibm.CORBA.securityServerHost=
com.ibm.CORBA.securityServerPort=
com.ibm.CORBA.loginTimeout=300
com.ibm.CORBA.loginSource=prompt

# RMI/IIOP user identity
com.ibm.CORBA.loginUserid=
com.ibm.CORBA.loginPassword=

#------------------------------------------------------------------------------
# If krb5ConfigFile is not specified, the Kerberos config file at the default location 
# will be used.
#       Example: com.ibm.CORBA.krb5ConfigFile=/utle/krb5.conf
#------------------------------------------------------------------------------
com.ibm.CORBA.krb5ConfigFile=

#------------------------------------------------------------------------------
# - krb5CcacheFile           ( authenticationTarget=KRB5 and loginSource=krb5Ccache, this
#                              optional property can be set to specify a location of the
#                              Kerberos credential cache as an URL. )
#
# If loginSource=krb5ccache, following steps need to be done:
#       1) Set krb5CcacheFile to an URL or leave it blank to use the default ccache location
#               Example: com.ibm.CORBA.krb5CcacheFile=FILE:/utle/krb5cc_utle
#       2) If the following options are existed in the wsjaas_client.conf file, set them to false
#               useDefaultKeytab=false 
#               useDefaultCcache=false 
#               tryFirstPass=false 
#               useFirstPass=false 
#               forwardable=false 
#               renewable=false 
#               noaddress=false 
# 
# Note: For Microsoft Windows Kerberos native ccache, set the following properties to blank 
#               com.ibm.CORBA.krb5CcacheFile=  
#               com.ibm.CORBA.loginUserid=  
#               com.ibm.CORBA.loginPassword=         
#------------------------------------------------------------------------------
com.ibm.CORBA.krb5CcacheFile=

#------------------------------------------------------------------------------
# See description above before you uncomment and use the loginRealm property.
# Note that the number of entries here should match the entries in loginUserid and loginPassword
#------------------------------------------------------------------------------
#com.ibm.CORBA.loginRealm=

#------------------------------------------------------------------------------
# CSIv2 Configuration (see InfoCenter for more information on these properties).
#
# This is where you enable SSL client certificate authentication.  Must also 
# specify a valid SSL keyStore below with a personal certificate in it.
#------------------------------------------------------------------------------

# Does this client support stateful sessions?
com.ibm.CSI.performStateful=true

# Does this client support/require BasicAuth (userid/password) client authentication?
com.ibm.CSI.performClientAuthenticationRequired=false
com.ibm.CSI.performClientAuthenticationSupported=true

# Does this client support/require SSL client authentication?  
com.ibm.CSI.performTLClientAuthenticationRequired=false
com.ibm.CSI.performTLClientAuthenticationSupported=false

# Note: You can perform BasicAuth (uid/pw) and SSL client authentication (certificate)
# simultaneously, however, the BasicAuth identity will always take precedence at the server.

# Does this client support/require SSL connections?
com.ibm.CSI.performTransportAssocSSLTLSRequired=true
com.ibm.CSI.performTransportAssocSSLTLSSupported=false

# Does this client support/require 40-bit cipher suites when using SSL?
com.ibm.CSI.performMessageIntegrityRequired=true
com.ibm.CSI.performMessageIntegritySupported=true
# Note: This property is only valid when SSL connections are supported or required.

# Does this client support/require 128-bit cipher suites when using SSL?
com.ibm.CSI.performMessageConfidentialityRequired=false
com.ibm.CSI.performMessageConfidentialitySupported=true
# Note: This property is only valid when SSL connections are supported or required.

#------------------------------------------------------------------------------
# SSL configuration alias referenced in ssl.client.props
#------------------------------------------------------------------------------
com.ibm.ssl.alias=DefaultSSLSettings

#------------------------------------------------------------------------------
# CORBA Request Timeout (used when getting NO_RESPONSE exceptions, typically
#                        during high-stress loads.  Specify on all processes
#                        involved in the communications.)
#
# - timeout             (specified in seconds [default 180], 0 implies no timeout)
#
#    com.ibm.CORBA.requestTimeout=180
#------------------------------------------------------------------------------
com.ibm.CORBA.requestTimeout=180

